Information for EU Data Subjects
In its capacity of data processor providing services to colleges, OCAS complies with the General Data Protection Regulation (“GDPR”) and assists colleges in complying with their data controller’s obligations by facilitating the exercise of data subject rights.
Legal Basis for Processing Your Personal Information
We are a data processor and process your personal information on behalf of the college you are applying to, which is the controller of your personal information.
We process your personal information on the following legal basis:
- You consented to our processing of your personal information by applying for admission in a program offered by a college. You may withdraw your consent to the use of your personal information for at any time, in accordance with your right to withdraw consent, further explained in the Your Rights section, below;
- Our processing of your personal information is in our legitimate interest or in the legitimate interest of the college you are applying to (for example, in order to make improvements to our services); you have a right to object to such processing as explained in the section below entitled Your Rights;
- Our processing of your personal information is necessary to perform a contract or take steps to enter into a contract with you (for example where we process your payment information when you have been accepted to a college); and/or
- Our processing of your personal information is necessary to comply with a relevant legal or regulatory obligation that we have (for example, where we are required to disclose personal information to a court or tax authority).
OCAS is located in Ontario, Canada. We may subcontract the processing of your personal information to, or otherwise share your personal information with, other third parties in countries other than your country of residence. As a result, where the personal information that we collect through or in connection with our services is transferred to and processed in a jurisdiction outside the European Economic Area (EEA) for the purposes described above, we will take steps to ensure that the information receives an adequate level of protection, including by entering into Standard Contractual Clauses or relying on other lawful transfer mechanisms.
Subject to certain exemptions, and in some cases dependent upon the processing activity we are undertaking, EU data subjects have certain rights in relation to their personal information.
Right to Withdraw Consent. You may withdraw your consent for purposes not necessary to provide our services at any time. If you withdraw your consent to the processing of personal information, OCAS may limit the services it is able to provide to you.
Right to access, correct, and delete your personal information. You have the right to request access to the personal information that we hold about you as well as the following information: (i) the source of your personal information; (ii) the purposes, legal basis and methods of processing; (iii) the data controller’s identity; and (iv) the entities or categories of entities to whom your personal information may be transferred. You also have the right to request that we delete your personal information. Please note that we are not required to comply with your request to delete personal information if the processing of your personal information is necessary for compliance with a legal obligation or for the establishment, exercise, or defence of legal claims.
Right to restrict the processing of your personal information. You have the right to restrict the processing of your personal information in the following circumstances: (i) you contest the accuracy of the personal information; (ii) the processing is unlawful but you wish to restrict rather than prohibit the processing of your personal information; (iii) the purposes for processing your personal information no longer exist, but you require the personal information for the establishment, exercise, or defence of legal claims; or (iv) you have legitimately objected to the processing of your personal information and the processing is therefore restricted pending the verification of whether the legitimate grounds of the controller override your objection. Please note that we can continue to process your personal information following a request for restriction: if we have your consent; to establish, exercise or defend legal claims; or to protect the rights of another natural or legal person.
Right to data portability. To the extent that we process your personal information (i) based on your consent or under a contract and (ii) through automated means, you can ask us to provide you a copy of your information in a structured, commonly used, machine-readable format. You can also ask us to have the information you submitted in relation to your application to a college transferred to another college you wish to apply to.
Right to object to the processing of your personal information. You can object to any processing of your personal information which has the legitimate interests of OCAS or a college as its legal basis if you believe your fundamental rights and freedoms outweigh our legitimate interests. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests that override your rights and freedoms.
Right to lodge a complaint with your local supervisory authority. You have a right to lodge a complaint with your local supervisory authority if you have concerns about how we are processing your personal information.
We ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time.
How to Exercise Your Rights
If you would like to exercise any of the rights described above, please contact OCAS Privacy Officer at 519.763.2363 or email firstname.lastname@example.org.